python反编译

​

python反编译

• .exe → .pyc

  工具：

  pyinstxtractor

  https://github.com/extremecoders-re/pyinstxtractor

  https://github.com/countercept/python-exe-unpacker

  命令：python pyinstxtractor.py [filename]

  转换出来的主程序格式不对，还需要对其进行手动修复。

  需要在该文件起始位置加上8个字节的pyc头，由4字节的magic和4字节的时间戳组成，其中magic会因为python版本的不同而不同，有个技巧就是，查看struct文件的magic，直接复制过去，保存为.pyc文件。

  Pyinstaller

  https://github.com/pyinstaller/pyinstaller

  命令：

  python archive_viewer.py [filename]

  ? x src

  ? x struct

  两者对比文件头，添加12字节。

• .pyc → .py

  工具：

  uncompyle6 - https://pypi.org/project/uncompyle6/

  decompyle3 - https://github.com/rocky/python-decompile3

  pycdc - https://github.com/zrax/pycdc

  安装：pip install uncompyle6

  命令：uncompyle6 [filename].pyc > [output-filename].py

pyc文件恢复（去混淆）

https://www.52pojie.cn/thread-912103-1-1.html

• 常见版本幻数

  python 2.7 - 03 F3 0D 0A

  python 3.6 - 33 0D 0D 0A

  python 3.7 - 42 0D 0D 0A

  python 3.8 - 55 0D 0D 0A

  python 3.9+ - 61 0D 0D 0A

• 恢复bytecode

  #安装环境
  import dis, marshal, sys
  
  header_sizes = [
      # (size, first version this applies to)
      # pyc files were introduced in 0.9.2 way, way back in June 1991.
      (8,  (0, 9, 2)),  # 2 bytes magic number, \r\n, 4 bytes UNIX timestamp
      (12, (3, 6)),     # added 4 bytes file size
      # bytes 4-8 are flags, meaning of 9-16 depends on what flags are set
      # bit 0 not set: 9-12 timestamp, 13-16 file size
      # bit 0 set: 9-16 file hash (SipHash-2-4, k0 = 4 bytes of the file, k1 = 0)
      (16, (3, 7)),     # inserted 4 bytes bit flag field at 4-8 
      # future version may add more bytes still, at which point we can extend
      # this table. It is correct for Python versions up to 3.9
  ]
  header_size = next(s for s, v in reversed(header_sizes) if sys.version_info >= v)
  
  with open('main.pyc', "rb") as f:
      metadata = f.read(header_size)  # first header_size bytes are metadata
      code = marshal.load(f)          # rest is a marshalled code object
  
  dis.dis(code)